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Abstract. We present a novel technique for proving program termination which 
introduces a new dimension of modularity. Existing techniques use the program 
to incrementally construct a termination proof. While the proof keeps changing, 
the program remains the same. Our technique goes a step further. We show how 
to use the current partial proof to partition the transition relation into those be- 
haviors known to be terminating from the current proof, and those whose status 
(terminating or not) is not known yet. This partition enables a new and unexplored 
dimension of incremental reasoning on the program side. In addition, we show 
that our approach naturally applies to conditional termination which searches for 
a precondition ensuring termination. We further report on a prototype implemen- 
tation that advances the state-of-the-art on the grounds of termination and condi- 
tional termination. 

1 Introduction 

The question of whether or not a given program has an infinite execution is a ftinda- 
mental theoretical question in computer science but also a highly interesting question 
for software practitioners. The first major result is that of Alan Turing, showing that 
the termination problem is undecidable. Mathematically, the termination problem for a 
given program Prog is equivalent to deciding whether the transition relation R induced 
by Prog is well-founded. 

The starting point of our paper, is a result showing that the well-foundedness prob- 
lem of a given relation R is equivalent to the problem of asking whether the transi- 
tive closure of R, noted R^, is disjunctively well-founded [24]. That is whether 
is included in some W (in which case W is called a transition invariant) such that 
W - W\ \J ■ ■ ■ ^ W„, n e N and each is well-founded (in which case W is said to be 
disjunctively well-founded). This result has important practical consequences because it 
triggered the emergence of effective techniques, based on transition invariants, to solve 
the termination problem for real -world programs [1 1,2,28,20]. 

By replacing the well-foundedness problem of R with the equivalent disjunctive 
well-foundedness problem of R^, one allows for the incremental construction of W: 
when the inclusion of R^ into W fails then use the information from the failure to update 
W with a further well-founded relation [10]. Although the proof is incremental for W, 
it is important to note that a similar result does not hold for R. That is, it is in general 
not true that given R = Ri U R2, if R^ ^ W and R^ c W then R+ c W. 

We introduce a new technique that, besides being incremental for W, further parti- 
tions the transition relation R separating those behaviors known to be terminating from 



the current W, from those whose status (terminating or not) is not known yet. For- 
mally, given R and a candidate W, we shall see how to compute a partition {Rg,Rb} 
of R such that (a) R^ c W; and (b) every infinite sequence si R $2 R ■ ■ ■ Si R Si+i - ■ ■ 
(or trace) has a suffix that exclusively consists of transitions from Rb, namely we have 
Rb Sj+i Rb ■ ■ ■ for some z > 1. 

It follows that well-foundedness of Rb impUes that of R. Consequently, we can focus 
our effort exclusively on proving well-foundedness of Rb- In the affirmative, then so is 
R and hence termination is proven. In the negative, then we have found an infinite trace 
in Rb, hence in R. We observed that working with Rb typically provides further hints 
on which well-founded relations to add to W. The partition of R into {Rg,Rb] enables a 
new and unexplored dimension of modularity for termination proofs. 

Let us mention that the partitioning of R is the result of adopting a fixpoint centric 
view on the disjunctive well-foundedness problem and leverage equivalent formulation 
of the inclusion check. More precisely, we introduce the dual of the check R^ c W hy 
defining the adjoint to the function AX.X ° R used to define R^. Without defining it 
now, we write the dual check as follows: R c W~. We shall see that while the failure of 
R'^ CW provides information to update W; the failure of ^ c W~ provides information 
on all pairs in R responsible for the failure of as a transition invariant. This is exactly 
that information, of semantical rather than syntactical nature, that we use to partition R. 

We show that the partitioning of R can be used not only for termination, but it also 
serves for conditional termination. The goal here is to compute a precondition, that is 
a set P of states, such that no infinite trace starts from a state of P. We show how to 
compute a (non-trivial) precondition from the relation Rb- 

Our contributions are summarized as follows: (/) we present Acabar, a new algo- 
rithm which allows for enhanced modular reasoning about infinite behaviors of pro- 
grams; (ii) we show that, besides termination, Acabar can be used in the context of 
conditional termination; and (Hi) finally, we report on a prototype implementation of 
our techniques and compare it with the state-of-the-art on two grounds: the termination 
problem, and the problem of inferring a precondition that guarantees termination. 

2 Example 

In this section, we informally overview our proposed techniques on an example taken 
from the literature [9]. Consider the following loop: 
while C x>8 ) { x:=x+y; y:=y+z; } 

represented by the transition relation R = {x > 0,x' = x + y,y' = y + z,z' = z], where 
the primed variables represent the values of the program variables after executing the 
loop body. Note that, depending on the input values, the program may not terminate 
(e.g. for X = l,y = 1 and z = 1 ). Below we apply Acabar to prove termination. As 
we will see, this attempt ends with a failure which provide information on which subset 
of the transition relation to blame. Then, we will explain how to compute a termination 
precondition from this subset. 

In order to prove termination of this loop, we seek a disjunctive well-founded 
relation W such that R^ c W. To find such a W, Acabar is supported by incre- 
mentally (and automatically) inferring (potential) hnear ranking functions for R or 
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[9,10]. When running on R, Acabar first adds the candidate well-founded relation 
Wi = [x' < x,x > 0) to W which is initially empty. Relation Wi stems from the obser- 
vation that, in R, x is bounded from below (as shown by the guard) but not necessarily 
decreasing. Hence, using W = Wi, Acabar partitions R into {R^^\Rg^} where: 

r'^^ = {x > 0,x' = x + y,y' = y + z,z' = z,y < 0,z < 0) 

R'g^ = {x >0,x' = x + y,y' ^ y + z,z' = z,y <0,z> 0}v 
{x > 0,x' = x + y,y' = y + z,z' = z,y > 0} . 



The partition comes with the further guarantee that every infinite trace in R must have 
a suffix that exclusively consists of transitions from R^g, which means that if P^^ is 
well-founded then so is R. In addition, one can easily see that {R^qY £ W. 

Next, Acabar calls itself recursively on R^^ to show its well-foundedness. As be- 
fore, it first adds W2 = [y' < y,y > 0} to W. Similarly to the construction of Wi, 
W2 stems from the observation that, in some parts of R^^', y is bounded from below but 
not necessarily decreasing. Then, using W = Wi V W2, Acabar partitions R^^ into: 

7?*?' -[x>Q,x' - x+y,y' - y + z,z' - z,z < 0) 

Rf = {x>0,x! = x + y,y' =y + z,z' =z,>'> 0,z> 0} . 

Again the partition {R^^\Rf} of 7?^' comes with a similar guarantee. This time it holds 
that that every infinite trace in R must have a suffix that exclusively consists of tran- 
sitions from R^g\ Recursively applying Acabar on R^^ does not yield any further par- 
titioning, that is - R^g\ The reason being that no potential ranking function is 
automatically inferred. Thus, Acabar fails to prove well-foundedness of R, which is 
indeed not well-founded. However, due to the above guarantee, we can use Rf to infer 
a sufficient precondition for the termination of R. We explain this next. 

Inferring a sufficient precondition is done in two steps: (i) we infer (an overapprox- 
imation of) the set of all states Z, visited by some infinite sequence of steps in and 
(//) we infer (an overapproximation of) the set of all states 'V each of which can reach 
Z, through some steps in R. Turning to the example, we infer Z, = [x > Q,y >0,z>Q) 
and the following overapproximation "V' of "V: 

V = {x> l,z = 0,y>0)V{x> l,z> l,x-Hy> l,x + 2y + z> l,x + 3y + 3z> 1) . 

It can be seen that every infinite trace visits only states in "V' , hence the complement of 
"V is a precondition for termination. 

Let us conclude this section by commenting on an example for which Acabar 
proves termination. Assume that we append z:=z-l to the loop body above and call R' 
the induced transition relation. Following our previous explanations, running Acabar 
on R' updates W from to Wi, and then to Wi V Then, and contrary to the previous 
explanations, Acabar will further update IV to V ^^^2 V W-i where Wt, is the well- 
founded relation {z' < z,z> 0}. From there, Acabar returns with value R^^ = 0, hence 
we have that R' is well-foimded. 
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3 Preliminaries 



A transition system is a pair (<3, R) where Q is the set of states and R c Q x Q is 
the transition relation. An initialized transition system includes a further component 
J c the set of initial states. For simplicity, we defer the treatment of initial states to 
Sec. 8. 

An R-trace is a sequence si, S2, . . ■ , s„ of states such that for every i, I < i < n we 
have (Si, Si+i) e R. When R is clear from the context we simply say trace. An infinite 
R-trace is a sequence si, S2, ... of states such that for every / > 1 we have (.s;, e R. 
Given R' Q R and an infinite /J-trace n we say that n has infinitely many steps in /?' if 
(Si, Si+i) € R' for infinitely many i>l. 

Hpf 

Given a relation /?' c /? and a set Q' c Q, define = {/ € Q | 3j € 

Q' : (s,s') e R'}. We say that this operator computes the R' -successors of Q' . Dually, 

define pre[_R'\{Q') ^= post[R'-^\{Q') = {s & Q\3s' & Q' : {s, s') e R'}. We say that this 
operator computes the R' -predecessors ofQ'? 

A relation W Q QxQ'\s called disjunctively well-founded iff W coincides with the 
union of finitely many relations (viz. W = Wi U . . . U W„) each of which is well-founded 
(viz. there is no infinite sequence s\,S2,... such that (s,-, g Wt for all i > 1). 

In this paper, we adhere to the following conventions: calligraphic letters X,if,... 
refer to subsets of Q and capital letters X,Y,... refer to relations over Q, that is subsets 
of QxQ. Further, throughout the paper the letter W is used to denote a relation over Q 
that is disjunctively well-founded. 

A linear expression is of the form ao -I- ai^ri -I- • • • -I- a„Xn where a, e Z and x = 
{xi,...,Xn) are variables ranging over Z. An atomic linear constraint c is of the form 
ei op e2 where e, is a linear expression and op e {=,>,<,>,<). A formula (/^ is a 
Boolean combination of atomic linear constraints. Note that -n/f is also a formula. For 
the sake of simplicity, a conjunction c\ A • • • A c„ of atomic linear constraints is some- 
times written as the set {c\,. . . , c„}. A solution of a formula i/' is a mapping from its 
variables into the integers such that the formula evaluates to true. Sets and relations 
over, respectively, Z" and Z" X Z" are sometimes specified using formulas, with the 
customary convention, for relations, of variables and primed variables. For instance, 
the formula {x > 0,x' = x - y,y' = y] defines the relation R Q 1} Y.!? such that 
R = {{(x,y), (x',/)> \x>OAx' =x-yAy' =y]. 

Finally, we briefly recall classical results of lattice theory and refer to the classical 
book of Davey and Priestley [15] for further information. Let / be a function over a 
partially ordered set (L, C). A fixpoint of / is an element / € Z, such that f{l) = I. We 
denote by Ifp f and gfp f, respectively, the least and the greatest fixpoint, when they 
exist, of /. The weU-known Knaster-Tarski's theorem states that each order-preserving 
function f € L ^ L over a complete lattice (L, E, U> fl' J-) admits a least (greatest) 
fixpoint and the following characterization holds: 

lfpf^n{xeL\f(x)nx} gfpf^U{x€L\xQf(x)}. (1) 

3 We define R'\R' and R* to be = {{s', s) | {s, s') eR],R* = IJj>o R' wdR* =RoR' where 
R° is the identity, R'*^ = R' o R and Ri " R2 = {{s, s") \ 3s' : {s, s') e Ri A {s', s") £ R2}. 
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4 Modular Reasoning For Termination 



A termination proof based on transition invariants consists in establishing the existence 
of a disjunctively well-founded transition invariant. That is, the goal is to prove the 
inclusion of R^, into some For short, we write c W. Proving termination is thus 
reduced to finding some W and prove that the inclusion hold. 

In the above inclusion check, coincides with the least fixpoint of the function 

def 

AY.R U g{Y) where g = AY.Y o R. It is known [13] that if we can find an adjoint 
function gio g such that g(X) c F iff X c g(Y) for all X, Y then there exists an equivalent 
inclusion check to R^ c W. This equivalent check, denoted R c in the introduction, 
is such that W~ is defined as a greatest fixpoint of the fimction AY. W n 1(7). Next, we 

define I ''=17. -.(-.7° /?-!). 

Lemma 1. Let X, 7 be subsets ofQ xQwe have: X o RcY ^ X Q -.(-.7 ° 
Proof. First we need an easily proved logical equivalence: 

(ifil A (p2) => (P3 iff {-'iPi A ^2) => -"Pi ■ 

Then we have: 
XoRoY 

iff Vs,s',si: ((s,ii) eXA(si,s') {s,s') e 7 

iff Vs, s', si : {(s, s') iY A (si,s') e /?) => (s, si) i X by above equivalence 

iff Vs,s',ii: iis,s') i Y A is' , si) & R-^) ^ is,si)iX def.of/?"^ 
iff Vi, /, si : {(s, /) € -.7 A (/, si) ^ is, si) € -.X 

iff (-.7 ° c -,X 

iffXc -,(-,7°/?-^) □ 

Intuitively, g corresponds to forward reasoning for proving termination while g cor- 
responds to backward reasoning because of the composition with . The least fixpoint 
IJp AY. R U giY) is the least relation Z containing R and closed by composition with R, 
viz. RqZ and Z ° R QZ.On the other hand, the greatest fixpoint gfp AY.W r\ giY) is 
best understood as the result of removing from W all those pairs is, s') of states such 
that is, s') ° R^ ^W. This process retums the largest subset Z' of W which is closed by 
composition with R, viz. Z' QW and Z' ° RqZ'. Using the results of Cousot [13] we 
find next that termination can be shown by proving either inclusion of Lem. 2. 

Lemma 2 (from [13]). Ifp AYR giY) QW <^ RQ gfp AY.W |(7). 

Proof. 

IfpAY.RUgiY) c Wiff 3A: R c A A giA) c A A A c W by (1) 

mSA: RQAAAQgiA)AAQW Lem. 1 
iff RQ gfp AY.W n giY) by(l) □ 

Recall that W is always assumed to be disjunctively well-founded. 
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As we shall see, the inclusion check based on the greatest fixpoint has interesting 
consequences when trying to prove termination. 

An important feature when proving termination using transition invariants is to de- 
fine actions to take when the inclusion check Ifp AY. R U g{Y) c W fails. In this case, 
some information is extracted from the failure (e.g., a counter example), and is used to 
enrich W with more well-founded relations [10]. 

We shall see that, for the backward approach, failure of c gfp AY. W n g{Y) 
induces a partition of the transition relation R into {Rc,Rb] such that (a) {RgY £ W\ 
together with the following termination guarantee (h) every infinite /?-trace contains a 
suffix that is an infinite 7?g-trace (Lem. 4). An important consequence of this is that we 
can focus our effort exclusively on proving termination of Rg. It is important to note 
that the guarantee that no infinite -trace contains infinitely many steps from Re is not 
true for any partition {Rg,Rb] of R but it is true for our partition which we define next. 

Definition 1. Let G = gjp AY.W n g(Y), we define {Rg,Rb) to be the partition of R 
given byRG=RC\G and Rb =R\ Rg- 

Example 1. Let R = {x > l,x' = x + y,y' = >'-!} and assume W = {x' < x, x > 1] 
which is well-founded, hence disjunctively well-founded as well. Evaluating the great- 
est fixpoint (we omit calculations) yields 



which is clearly a partition of R. The relation Rg consists of those pairs of states where 
y is negative, hence x is decreasing as captured by W. On the other hand, Rb consists 
of those pairs where y is positive or null. It follows that, when taking a step from Rb, x 
does not decrease. This is precisely for those pairs that W fails to show termination. ■ 

Next, we state and prove the termination guarantees of the partition {Rg, Rb)- 

Lemma 3. Given Rg as in Def. 1 we have IJjp AY.Rg^Y ° RQ W. 



An equivalent formulation of the previous result is Rg ° R* Q W, which in turn 
impUes, since Rg Q R, that (Rg ° R*y Q W, and also (RGy Q W. 

Lemma 4. Every infinite R-trace has a suffix that is an infinite RB-trace. 



Rg = {x>1,:)^ =x + y,y' =y-l,y<0] 
= {x > 1,/ =x + y,y' = y- l,y > 0} 



Proof. 



G c 1(G) aGQW 
only if ^(G) c GAG c W 
only if /? n G c G A giG) QG AGqW 
only if /?G £ G A giG) QGaGqW 
only if Ifp AY. Rg UgiY)QW 



def. of G and (1) 
Lem. 1 



def. of Rg 
by(l) □ 
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Proof. Assume the contrary, i.e., there exists an infinite /?-trace si, S2, • • • that contains 
infinitely many steps from Rq. Let S - Si^ ,Si^,... be the infinite subsequence of states 
such that {Sij, Si.+i) e Rq for all 7 > 1. Recall also that = Wi U ■ ■ ■ U W„ where each 
Wf is well-founded. For any s,-, sj g S with i < j it holds that (s,-, sj) € Rq ° R*, and 
thus, according to Lem. 3, we also have that (i„ sj) G W( for some \ <( <n. Ramsey's 
theorem [25] guarantees the existence of an infinite subsequence S' - Sj^,Sj^, ... of 
S, and a single W(, such that for all i,, sj e S' with i < j we have (s„ sj) g We. This 
contradicts that VF^ is well-founded and we are done. □ 

Remark 1. When fixpoints are not computable, they can be approximated from above 
or from below [14]. It is routine to check that the results of Lemmas 3 and 4 remain 
valid when replacing G ^ gfp AY.W r\ ~g{Y) in Def. 1 with G' c gfp AY. W n 
Therefore we have that, even when approximating gfp AY.W r\ g{Y) from below, the 
termination guarantees of {Rg,Rb} stiU hold. In Sec. 6, we shall see how to exploit this 
result in practice. 

Example 2 (cont'd from Ex. 1). We left Ex. 1 with W - {x' < x,x> I] and Rb = [x > 
l,x' = X + y,y' = y - l,y > 0). As argued previously, to prove the well-foundedness 
of R it is enough to show that Rb is well-founded. For clarity, we rename Rb into R^g\ 
Next we partition as we did it for R in Ex. 1 . As a result, we update W by adding the 
well-founded relation {y' < y,y > 0}. Then we evaluate again G (we omit calculations) 
which yields = 0. Hence we conclude from Lem. 4 that R is well-founded. ■ 

Building upon all the previous results, we introduce Acabar that is given at Alg. 1. 
Acabar is a recursive procedure that takes as input two parameters: a transition relation 
R and a disjunctively well-founded relation W. The second parameter is intended for 
recursive calls, hence the user should invoke Acabar as follows: Acabar (/?, 0) . We call 
it the root call. Upon termination, Acabar returns a subset Rb of the transition relation 
R. If it returns the empty set, then the relation R is well-founded, hence termination is 
proven. Otherwise (Rb + 0), we can not know for sure if R is well-founded: there might 
be an infinite 7?-trace. However, Lem. 4 tells us that every infinite /?-trace must have a 
suffix that is an infinite /J^-trace. It may also be the case that is well-founded (and 
so is K) in which case it was not discovered by Acabar. Another case is that In 
this case we have made no progress and therefore we stop. Whenever Rb + 0, we call 
this returned value the problematic subset of R. 

Next we study progress properties of Acabar. We start by defining the sequence 
(/?*'^),>o where each R!-'^ is the argument passed to the /-th recursive call to Acabar. In 
particular, is the argument of the root call. Furthermore, we define the sequences 
(/?®}i>i and {^^\i>\ where {Rt^M^^ is a partition oiR^'^^ and /?® = for all ? > 1. 

Lemma 5. Let a run of Acabar with at least i > 1 recursive calls, then we have 

Proof. The proof is by induction on i, for j = 1 it follows from the definitions that 
= R^g^ and {7?^',/?^') is a partition of R'^'^K Moreover, since at least / = 1 recursive 
calls take place we find that the condition of line 5 fails, meaning neither R^ ^ nor R^^ 
is empty, hence R^^^ is a strict subset of The inductive case is similar. □ 
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Algorithm 1: Enhanced modular reasoning 



Acabar(i?,W) 

Input: a relation RqQxQ 

Input: a relation W qQxQ such that W is disjunctively well-founded 
Output: RbQR 

1 begin 

2 W ■- Wufind_dwf_candidate(/f) 

3 let G be such thatG c gfjp AY.W n giY) 

4 Rb.= R\G 

s if Rb = <dorRB =Rthen 

6 I return Rb 

7 else 

8 |_ return Acabar(i?s, IV) 



By Lemmas 4 and 5, we have that every infinite R^'^^-Xiace has a suffix that is an 
infinite R^^ -trace for every i > 1. As a consequence, forcing Acabar to execute line 6 
after predefined number of recursive calls, it returns a relation R^^ such that the previous 
property holds. Incidentally, we find that Acabar proves program termination when it 
retums the empty set as stated next. 

Tlieorem 1. Upon termination of the call Acabar CR,%X if it returns the empty set, 

then the relation R is well-founded. 

Let us now turn to hne 2. There, Acabar calls a subroutine find_dwf .candidate (/?) 
implementing a heuristic search which retums a disjunctively well-founded relation us- 
ing hints from the representation and the domain of R. Details about its implementation, 
that is inspired from previous work [9,10], will be given at Sec. 7 — we will consider 
the case of R being a relation over the integers of the form /? = pi V • • • V p„ where each 
Pi is a conjunction of linear constraints over the variables x and x'. Let us intuitvely 
explain this procedure on an example. 

Example 3 (cont'd from Ex. 2). Acabar (/?,0) updates W as follows: (7) 0; (2) {x' < 
x,x > 1); (5) {x' < x,x > 1), {y' < y,y > 0). The first update from to {xf < x,x > 1) is 
the result of calling find_dwf .candidate (/?) . The hint used by find_dwf .candidate 
is that X is bounded from below in R. The second update to W results from calling 
find_dwf_candidate(7?B = {x > l,x' = x-i-y,y' = y- 1,3; > 0)). Since has the 
linear ranking function fix,y) = y, find dwf candidate retums {/ <y,y>0}. ■ 

5 Acabar for Conditional Termination 

As mentioned previously, upon termination, Acabar retums a subset Rb of the transition 
relation R. If this set is empty then R is well-founded and we are done. Otherwise, Rg is 
a non-empty subset and called the problematic set. In this section, we shall see how to 
compute, given the problematic set, a precondition P for termination. More precisely. 
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f isa set of states such that no infinite /?-trace starts with a state of P. We illustrate our 
definitions using the simple but challenging example of Sec. 2. 

Example 4. Consider again the relation R = {x>0,x' = x + y,y' = y + z,z' = z). Upon 
termination Acabar returns the following relation: 

Rb = {x' = x + y,y' =y + z,z' =z,x>0,y>0,z>0} 

which corresponds to all the cases where x is stable or increasing over time. ■ 

Lemma 4 tells us that every infinite /?-trace n is such that n - JifTioa where tt/ is 
a finite /?-trace and tToo is an infinite /J^-trace. Our computation of a precondition for 
termination is divided into the following parts: (/) compute those states Z, visited by 
infinite /J^-trace; (ii) compute the set 'V of /?* -predecessors of X, that is the set of 
states visited by some /?-trace ending in Z,', and (iii) compute V as the complement 
of "Y. Formally, {i) is given by a greatest fixpoint expression gfp AX.pre\_RB\i^)- This 
expression is directly inspired by the work of Bozga et al. [5] on deciding conditional 
termination. This greatest fixpoint is the largest set X of states each of which has an 
/?B-successor in X- Because of this property, every infinite /?B-trace visits only states in 
J3. In ;r = nfjica, this corresponds to the suffix /Too that is an infinite /?B-trace. 

Example 5. For Rb as given in Ex. 4, we have that X = [z > Q,y > 0,x > 0] which 
contains the following infinite /J^-trace: 

{x = \,y = Q,z = Q)Rb{x= \,y = Q,z = Q)RB{x = \,y = Q,z = Q)RB... ■ 

Let us now turn to {ii), that is computing the set 'V of /?* -predecessors of X- It is 
known that 'Y coincides with Ifp AX.X U pre[R\{X). Intuitively, we prepend to those 
infinite /?B-traces a finite /?-trace. That is, prefixing nf to Uoo results in ;r = UfTioo- Finally, 
step {Hi) results into a precondition for termination f obtained by complementing "V. 

Example 6. Computing Ifp AX.X U pre\R\{?C) for X as given in Ex. 5 and 
R = {)^ =x + y,y' = y + z,z' = z, x> 0, j > 0,z > 0} (Ex. 4) gives = % V where 

<Vi ={x>hz = Q,y>Qi} 

'V2 = {x>\,z>l}\J{x+i*y + j*z>l\i> 1,7 = 111=0^} • 

Intuitively, the set "Vi of states corresponds to entering the loop with z = and y 
non-negative, in which case the loop clearly does not terminate. The set 'V2 of states 
corresponds to entering the loop with z positive, and the loop does not terminate af- 
ter j'-th iterations for all i. Note that ^2 consists of infinitely many atomic formulas. 
Complementing gives f. ■ 

Theorem 2. There exists an infinite R-trace starting from siffsiP. 

Approximations. As argued previously, it is often the case that only approximations 
of fixpoints are available. In our case, any overapproximation of either XoiY can be 
exploited to infer P. Because of approximations, we lose the if direction of the theorem, 
that is, we can only say that there is no infinite /?-trace starting from some s €p. 
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Example 7. Using finite disjunctions of linear constraints, we can approximate 'V by 

{x> l,z = 0,>'>0} v{x> l,z> l,x + >'> l,x + 2>' + z> l,x + 3>' + 3z> 1} 

and then the complement P is 

x<0Vx + y>lVx + 2); + z>lVx + 3y + 3z>lVz<-lvCy<-lAz<0) 

which is a sufficient precondition for termination. Note that the first 4 disjuncts corre- 
spond to the executions which terminates after 0, 1, 2 and 3 iterations. ■ 

6 Implementation 

We have implemented the techniques described in Sec. 4 and 5 for the case of multiple- 
path integer linear-constraint loops. These loops correspond to relations of the form R = 
pi V • • • Vp(/ where each p, is a conjunction of hnear constraints over the variables x and 
x'. In this context, the set Q of states is equal to Z" where n is the number of variables 
in X. This is a classical setting for termination [4,6,24]. Internally, we represent sets of 
states and relations over them as DNF formulas where the atoms are hnear constraints. 
In what follows, we explain sufficient implementation details so that our experiments 
can be independently reproduced if desired. Our implementation is available [1]. 

We start with fine 2 of Alg. 1. Recall that the purpose of this line is to add more 
well-founded relations to W based on the current relation R. In our implementation, W 
consists of well-founded relations of the form |/(x) > 0, /(x') < /(x)) where / is a 
linear function [10,9]. Thus, our implementation looks for such well-founded relations. 
In particular, for each p, of R we add new well-founded relations to W as follows: 
if pi has a linear ranking function /(x) that is synthesized automatically [24,4] then 
{fix') < fix), fix) > 0} is added to W; otherwise, let {/i(x) > 0,...,/d(x) > 0} 
be the result of projecting each p, on x (i.e., eliminating variables x' from p,), then 
{{fiix') < fix), fix) > 0) I 1 < ; < (i) is added to W. Because is bounded but not 
necessarily decreasing, it is called a potential linear ranking function [9]. 

As for fine 3, recall that G is a subset of gfp AY.W r\ giY). Furthermore, the sole 
purpose of G is to compute Rb - R\G. We now observe that -iG, the complement of 
G, is as good as G. In fact, Rb = RC\ (-iG). So by considering -iG instead, what we 
are looking for is an overapproximation of -^igfp XY. W n giY)). Next we recall Park's 
theorem replacing the above expression by a least fixpoint expression. 

Theorem 3 (From [23]). Let (L, E, \~\, \J, T, ±, -i) be a complete Boolean algebra and 
let f e L ^ L be an order-preserving function then f = AX. -^ifi-X)) is an order- 
preserving function on L and ^{gfp f) - Ifp /'. 

Park's theorem applies in our setting because computations are carried over the 
Boolean algebra (2(^^^>, c, n, U, ((3 x Q), 0, -.). Applying it to gfp AY.W n g(Y) where 
g{Y) = -.(-.F ° /?-!), we find that 

-^(gfp AY. W n -.(-.y ° = Ifp AY. (-.W) UYoR-^ . 
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Therefore, to implement line 3, we rely on abstract interpretation to compute an over- 
approximation of Ifp AY. (-iW) U 7 o hence, by negation, an underapproximation of 
gfp AY. W n g{Y) therefore complying with the requirement on G. 

As far as abstract interpretation is concerned, our implementation uses a combina- 
tion of predicate abstraction [18] and trace partitioning [22]. The set of predicates is 
given by a finite set of atomic Unear constraints and is also closed under negation, e.g., 
iix+y > is a predicate then x+>' < -1 is also a predicate. Abstract values are positive 
Boolean combination of atoms taken from the set of predicates. Observe that although 
negation is forbidden in the definition of abstract values, the abstract domain is closed 
under complement. 

The set of predicates is chosen so as the following invariant to hold: each time the 
control hits line 3, the set contains enough predicates to represent precisely each well- 
founded relation in W. Our implementation provides enhanced precision by enforcing 
a stronger invariant: besides the above predicates for W, it includes all atomic linear 
constraints occurring in the formulas representing Xi,...,X( where ( >Q,Xq = (-tW) 
and Xi+i - (-iW) U X, ° R~^. The value of ( is user-defined and, in our experiments, it 
did not exceed 1 . 

To further enhance precision at line 3, we apply trace partitioning [22]. The set of 
/?-traces is partitioned using the linear atomic constraints of the form f{x') < fix) that 
appear in W. More precisely, partitioning R on fix') < fix) is done by replacing each 
Pi by iPi A fix') < fix)) V ipi A fix') > fix)). 

As for conditional termination, overapproximating Z. = gfp AX.prelRsjiX) is done 
by computing the last element ?(( from the finite sequence Xo, ■■■,?(( given by Xo = Q 
and Xi+i = Xi A pre[RB]iXi) where { is predefined. The result is always representable 
as DNF formula where the atoms can be any atomic linear constraints. As for = 
IJp AX.X{ U pre\K\iX), an overapproximation is computed in a similar way to that of 
line 3, i.e., using a combination of predicate abstraction and trace partitioning. 

7 Experiments 

We have evaluated our prototype implementation against a set of benchmarks collected 
from pubhcations in the area [9,7]. In what follows, we present the results of our im- 
plementation for those loops, and compare them to existing tools for proving termina- 
tion [26,7,6] as well as tools for inferring preconditions for termination [9]. We com- 
pare the different techniques according to what the corresponding implementations re- 
port. We ignore performance because, for the selected benchmarks, little insight can be 
gained from performance measurements when an implementation was available (which 
was not always the case [27]). 

The benchmarks accompanied with our results are depicted in Table 1. Translating 
each loop to a relation of the form /? = pi V ■ ■ ■ V p„ is straightforward. Every line in 
the table includes a loop and its inferred termination precondition itme means it termi- 
nates for any input). In addition, preconditions (different from true) marked with • are 
optimal, i.e., the corresponding loop is non-terminating for any state in the complement. 

We have divided the benchmarks into 3 groups: (1-5), (6-15) and (16-41). With the 
exception of loop 1, each loop in group (1-5) includes non-terminating executions and 
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loop 


termination precondition 


1 


while 


Cx>8) x'=-2x+18; 




true 


2 


while 


Cx>8) x'=x+y; y'=y+z; 




x<0 V z<OV 

(7=0 A v<0"IV 
x+y<0 V ;c+2y+z<0v 
x+3y+3z<0 


3 


while (x<N) 
if (*) { x'=2*x+y; y'=y+l; } else x'=x+l; 


x> nV x + y>0 


4 


©requires n>2Q8 and y<9 
while (1) 
if (x<n) { 
X ' =x+y ; 

if Cx'>288) break; 

} 


n ^ zuu V y ^ yv 
{x<nhy> 1)V 
{x<n A x>200 A x+y>2QQ) 


5 


while 


(xoy) if Cx>y) x'=x-y; else y'=y-x; 


• 


{x>lhy>\)yx^y 





while 


Cx<8) x'=x+y; y'=y-l; 




x>OVx + )'>OV 
x + 2y>\yx + 'iy>?) 


7 


while 


(x>8) x'=x+y; y'=-2y; 


• 


x<Qy y + Q 


8 


while 


(x<y) x'=x+y; y'=-2y; 


• 


x>Q\/yi^Q 


9 


while 


Cx<y) x'=x+y; 2y'=y; 


• 


x>Qyyi^Q 


10 


while 


C4x-5y>8) x'=2x+4y; y'=4x; 


• 


jy \ 1 V 

(3x-4y > 0Al6x-2l3' > 1) 


11 


while 


rx<S"^ x'=x-v v'=x+v' 


• 


jc^Ovy^tO 


12 


while 


Cx>8 and y>8) x'=-2x+18y; 




X < 3 V lO)' - 3x 7^ 


13 


while 


rY>8'i Y ' =Y+V ■ 




x<0vy<0vx + >'<0 


14 


while 


( X<1W^ 3C ' =-v ■ v' =v+l ■ 


• 


y < -10 V X > 10 


15 


while 


Cx<0) X ' —x+z j y ' =y+l j z ' ——"Zy 




x>0vx+z>0 


16 


while 


(x>(S) and x<lO0) x'>2x+lQ; 




true 


17 


while 


(,x>lj -ix =x; 


-k 


true 


18 


while 


Cx>lj 2x <x; 




true 


19 


while 


Cx>ISJ 2x <x; 




true 


20 


while 


Cx>8) x'=x+y; y'=y-l; 




true 


21 


while 


(4x+y>8) x'=-2x+4y; y'=4x; 




4x + y < W 

yx '+A ^ u A OA 1-jy ^ 


22 


while 


Cx>8 and x<y) x'=2x; y'=y+l; 




true 


23 


while 


Cx>0) x'=x-2y; y'=y+l; 




true 


24 


while 


Cx>8 and x<n) x'=-x+y-5; y'=2y; n'=n; 




true 


25 


while 


(x>8 and y<8) x'=x+y; y'=y-l; 


•k 


true 


26 


while 


Cx-y>8) x'=-x+y; y'=y+l; 




true 


27 


while 


Cx>8) x'=y; y'=y-l; 




true 


28 


while 


Cx>8) x'=x+y-5; y'=-2y; 




true 


29 


while 


(x+y>0) x'=x-l; y'=-2y; 




true 


30 


while 


(x>y) x'=x-y; l<y'<2 




true 


31 


while 


Cx>8) x'=x+y; y'=-y-l; 




true 


32 


while 


(x>0) x'=y; y'<-y; 




true 


33 


while 


(x<y) x'=x+l; y'=z; z'=z; 




true 


34 


while 


(x>0) x'=x+y; y'=y+z; z'=z-l; 




true 


35 


while 


(x+y>0 and x<z) x'=2x+y; y'=y+l; z'=z 




true 


36 


while 


Cx>0 and x<z) x'=2x+y; y'=^-gl; z'=z 




true 


37 


while 


(x>0) x'=x+y; y'=z; z'=-z-l; 




true 


38 


while 


Cx-y>8) x'=-x+y; y'=z; z'=z+l; 




true 


39 


while 


Cx>0 and x<y) x'>2x; y'=z; z'=z; 




true 


40 


while 


Cx>0 and x+y>Q) x'=x+y+z; y'=-z-l; z'=z; 


★ 


true 


41 


while 


Cx+y>8 and x<n) x'=2x+y; y'=z; z'=z+l; n 


=n; 


true 



Table 1. Benchmarks used in experiments. Loops (1-5) are taken from [9] and (6^1) from [7]. 



thus those loops are suitable for inferring preconditions. Our implementation reports 
the same preconditions as the tool of Cook et al. [9] save for loop 1 for which their 
tool is reported to infer the precondition x > 5 V x < 0, while we prove termination 
for all input. Note that every other tool used in the comparison [7,6,26] fail to prove 
termination of this loop. Further, the precondition we infer for loop 5 is optimal. 

All the loops (6-15) are non-terminating. Chen et al. [7] report that their tool cannot 
handle them since it aims at proving termination and not inferring preconditions for 
termination. We infer preconditions for all of them, and in addition, most of them are 
optimal (those marked with •). Unfortunately for those loops we could not compare 
with the tool of Cook et al. [9], since there is no implementation available [27]. 

Loops in the group (16-41) are all terminating. Those marked with ★ actually have 
linear ranking functions, those unmarked require disjunctive well-founded transition 
invariants with more than one disjunct. We prove termination of all of them except loop 
21. We point that the tool of Chen et al. [7] also fails to prove termination of loop 21, 
but also of loop 34. On the other benchmarks, they prove termination. They also report 
that PolyRank [6] failed to prove termination of any of the loops that do not have a 
linear ranking function. In addition, we applied ARMC [26] on the loops of the group 
(16-41). ARMC, a transition invariants based prover, succeeded to prove termination 
for all those loops with a linear ranking function (marked with ★) and also loop 39. 

Next we discuss in details the analysis of two selected examples from Table 1. 

Example 8. Let us explain the analysis of loop 1 in details starting with the root call 
kcahar(R, 0) where R - {x > 0,x' - -2x + 10). At line 2, since R includes the bound 
X > 0, i.e., fix) = X is a potential hnear ranking function, we add [x" < x, x > 0) to W. 
Computing G at line 3, hence Rb at the following hne, results in Rb = pi V p2 where 
pi = {x' - -2x + 10, X > 0, X < 3) and p2 = {x' = -2x + 10, x > 4, x < 5}. 

Note that pi is enabled for < x < 3 and in this case x' > x. Also pi is enabled for 
X = 4 or X = 5 for which x' < x and thus p2 £ W, however, after one more iteration, the 
value of X increases (this is why p2 is included in Rb). Transitions for which x > 5 are 
not included in Rb, hence they belong to Rg itself included in W (Lem. 3). Hence when 
X > 5 termination is guaranteed, this is also easily seen since those transitions terminate 
after one iteration. 

Since Rb is neither empty nor equal to R, a recursive call to Acabar(/?B. W) takes 
place. At hne 2, we add {-x' < -x, 10 - x > 0} to W since /(x) = 10 - x is a linear 
ranking function for pi. Note that p2 has the linear ranking function /(x) = x already 
included in W. Computing G at line 3, hence Rb, yields Rb = % and therefore we 
conclude that the loop terminates for any input. ■ 

Example 9. Let us explain the analysis of loop 9 in details starting with the root call 
Acabar(/?, 0) where R = [x < y,x' = x + y,2y' = y}. At line 2, since R includes the 
bound y - X > 0, i.e., f(x,y) = >■ - x - 1 is a potential linear ranking function, we 
add {/ - x' < J - x,}' - X - 1 > 0} to W. Computing G at line 3, hence Rb yields 
Rb = {x < y, x' = x + y,2y' =y,y <0]. Note that Rb exclusively consists of transitions 
where y is not positive, in which case x' - >' > x - y and thus not included in W. 
Transitions where y is positive are not included in Rb (hence they belong to Rq) since 
they always decrease x-y, and thus are transitively included in W (Lem. 3). 
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Since Rb is neither empty nor equal to R, we call recursively Acabar(/?B, W). At 
line 2, since R includes the bound y <Q{ox equivalently -y > 0), i.e., f{x,y) = -y is 
a potential linear ranking function, we add {-/ < -y, -y > 0} to W. Computing G at 
line 3, hence Rb yields Rb - {x <y,x' - x + y, 2y' - y,y -Q]. Note that Rb exclusively 
consists of transitions where y = Q, which keeps both values of x and y unchanged. 
Transitions in which y is negative belong to Rq, hence they are transitively covered by 
W (Lem. 3), in particular by the last update (viz. {-y' < -y, -y > 0)) to W. 

Since Rb is neither empty nor equal to R, we call recursively Acabar(/?B> This 
time our implementation does not further enrich W with a well-founded relation, and as 
a consequence, after computing G at line 3, we get that Rb - R. Hence, Acabar returns 
with Rb = {x <y,x' = X + y, 2y' =y,y - 0). 

Now, given Rb, we infer a precondition for termination as described in Sec. 5. We 
first compute gfp AX.pre[RB]{X), which in this case, converges in two steps with Z. = 
y = A X < 0. Then we compute Ifp AX. Z, U pre{R'\{?(), which results in 'V = >• = 
A X < 0. The complement, ^=y<OVy>OVx<0, isa precondition for termination. 
Note that the result is optimal, i.e., ^ is a precondition for non-termination. Optimahty 
is achieved because X and coincide with the gfp and the Ifp of the corresponding 
operators, and are not overapproximations. ■ 

8 Conclusion 

This work started with the invited talk of A. Podelski at ETAPS ' 1 1 who remarked that 
the inclusion check T?"^ c W is equivalently formulated as a safety verification problem 
where states are made of pairs. Back to late 2007, a PhD thesis [17] proposed a new 
approach to the safety verification problem in which the author shows how to leverage 
the equivalent backward and forward formulations of the inclusion check. Those two 
events planted the seeds for the backward inclusion check RqW~, and later Acabar. 
Initial States. For the sake of simplicity, we deliberately excluded the initial states I 
from the previous developments. Next, we introduce two possible options to incorpo- 
rate knowledge about the initial states in our framework. The first option consists in 
replacing R by R' that is given by n (Acc x Ace) where Acc denotes (an overapproxi- 
mation of) the reachable states in the system. Formally, Acc is given by the least fixpoint 
Ifp AX.IVJpost[R\{X). 

The second option is inspired by the work of Cousot [12] where he mixes backward 
and forward reasoning. We give here some intuitions and preliminary development. Re- 
call that the greatest fixpoint gfp AY. W n g{Y) of line 3 is best understood as the result 
of removing all those pairs (s, s') e W such that (.?, .?') ° R^ ^W. We observe that the 
knowledge about initial states is not used in the greatest fixpoint. A way to incorpo- 
rate that knowledge is to replace the greatest fixpoint expression by the following one 
gfp AY. (B n W) (F) where B takes the reachable states into account. In a future work, 
we will formally develop those two options and evaluate their benefit. 

Related Works. As for termination, our work is mostly related to the work of Cook et 
al. [10,11] where the inclusion check R^ Q W [24] is put to work by incrementally 
constructing W. Our approach, being based on the dual check R c W^, adds a new 
dimension of modularity/incrementaUty in which R is also modified to safely exclude 
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those transitions for which the current proof is sufficient. The advantage of the dual 
check was shown experimentally in Sec. 7. However, let us note that in our implemen- 
tation we use potential ranking functions and trace partitioning, which are not used in 
ARMC [10]. Moreover, it smoothly applies to conditional termination. 

Kroening et al. [20] introduced the notion of compositional transition invariants, 
and used it to develop techniques that avoid the performance bottleneck of previous 
approaches [11]. Recently, Chen et al. [7] proposed a technique for proving termination 
of single-path linear-constraint loops. Contrary to their techniques, we handle general 
transition relations and our approach applies also to conditional termination. 

As for conditional termination, the work of Cook et al. [9] is the closest to ours. 
However, we differ in the following points: (a) we do not use universal quantifier ehm- 
ination, whose complexity is usually very high, depending on the underlying theory 
used to specify R. Instead, we adapt a fixpoint centric view that allows using abstract 
interpretation, and thus to control precision and performance; (b) we do not need spe- 
cial treatment for loop with phase transitions (as the one of Sec. 2), they are handled 
transparently in our framework. Bozga et al. [5] studied the problem of deciding con- 
ditional termination. Their main interest is to identify family of systems for which 
gjp A?(.pre[R](X), the set of non-terminating states, is computable. 

It is worth "terminating" by mentioning that several formulations, of the termina- 
tion problem, similar to the check R'^ c. W have appeared before [8,21,16]. They have 
also led to practical tools for corresponding programming paradigms. The relation be- 
tween these approaches was recently studied [19]. Works based on these formulations, 
in particular those that construct global ranking functions for R [3], might serve as a 
starting point to understand some (completeness) properties of our approach. This is 
left for future work. 
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